Restricted/Limited Access Network project meeting

Monday, September 9, 2013; 3:00 p.m.; AISB-208

Invited

Phil Benchoff, Jacob Dawson, Marc DeBonis, Brian Jones, Ron Keller, Philip Kobezak, Greg Kroll, Steve Lee, Randy Marchany, Rich Sparrow, Lucas Sullivan, Brad Tilley

Agenda

1. Review action items and comments from 20130805 - August 5, 2013 RLAN Project Status Meeting
2. Status of Phase 1 final security review
3. Determine how many users are actually using RLAN
4. Separate VPN for remote RLAN users?
5. User workstation requirements/oversight (Will there be any university requirement for users to participate? authority/enforcement?)
6. ITSO access to CNS Engineering Change Order process
7. Whitelisting issues
8. The MOU between CNS and ITSO
9. Documentation and support requirements
10. Who will be the next set of departments included in RLAN Phase 2?
11. What are the plans for getting all hardware/software in the RLAN IPv6 capable?
12. What needs to be budgeted for to support this next Phase? In CNS? In ITSO?
13. Open Forum

Attended

Phil Benchoff, Brian Jones, Ron Keller, Philip Kobezak, Greg Kroll, Randy Marchany, Rich Sparrow, Lucas Sullivan, Brad Tilley

Agenda

1. Review action items and comments from 20130805 - August 5, 2013 RLAN Project Status Meeting
   1. Action item: Rich will contact Vivian Rich to get the AISB RLAN connections completed.
      1. Still unresolved. Rich and Phillip will contact AISB users with RLAN ports and help them determine which portal to use for RLAN.
   2. Action item: Greg will initiate the final security review and request input from project leads and team members
      1. Have received input from NI&S. ITSO is reviewing it and will have it done by 9/13/2013.
2. Status of Phase 1 final security review
   1. See note above.
3. Determine how many users are actually using RLAN
   1. Still only about 6 users actively using the RLAN. One of the problems is attributed to the RLAN outage that occurred on the same day as the planned Core and Border Network Maintenance (8/2/2013) which is making pilot departments shy about using the RLAN especially during the busy beginning of fall semester.
   2. Fall rush time put a hold on further involvement with RLAN for the pilot departments
   3. End users are not a trustworthy source to diagnose if there are problems with the RLAN.
   4. The Network Operations Center (NOC) does not know where to route calls about the RLAN. Action item: Luke will talk to Joyce Landreth about some basic training/education for the Call Center regarding the RLAN.
   5. Brad Tilley said that the ITSO has high-level monitoring in place on the RLAN watching connectivity to some whitelisted sites so the ITSO is likely to know about problems before the users do. Brad said they are staffed roughly 7:00 am to 7:00 pm and in that timeframe if the ITSO can reliably determine if there is an outage or problem with the RLAN they will contact the Call Center/ NOC and let them know.
   6. There was some discussion about setting up a webserver on the RLAN so diagnosticians and the ITSO can do some simple testing, like ping and trace route, to see if there are problems internal to the RLAN. It was mentioned that it might be a good idea to put an RLAN connection in the NOC.
4. Separate VPN for remote RLAN users?
   1. After some discussion of risks Randy, with his IT Security Officer hat on, approved of a separate VPN with a separate authorization process for RLAN access.
   2. Some users are using remote desktop protocol (rdp).
5. User workstation requirements/oversight (Will there be any university requirement for users to participate? authority/enforcement?)
   1. Departments will be strongly encouraged to have key personnel on the RLAN but there is no requirement other than that set forth by Policy 7010.
   2. There is some resistance, especially from departments with their own information technology personnel, to adopt the strict security standards set forth by the ITSO.
   3. Randy commented that some departments, such as the Bursar, use pretty restrictive computer security images. Randy said that if a department can convince him that their computer security settings, based on their business needs, are secure that he will approve their use.
   4. One method used to evaluate effectiveness of security settings is to run a CIS score against an image and if it scores 100% then it is good. Any score less than 100% must be evaluated to determine why and what changed. This also gives us an effective audit tool which can be used by auditors to evaluate security settings in departments.
   5. The ITSO has available for download/distribution an ITSO folder that contains scripts to tighten down the base computer (uses Microsoft Security Compliance Manager) and then run a Virtual Machine (VM) to connect to RLAN and perhaps another VM to use with the Internet. When used this secures the base computer.
   6. Randy estimates that there are 3-5 people in each of 190 departments that need to be on the RLAN. So a maximum of approximately 950 users. Then departments like the Bursar and Human Resources would have all personnel included. So a rough approximation of the maximum number of users is 2000-2500.
      (Note: meeting time ran out so we will continue with the above agenda at the next meeting.)